The GAO reported that, among other things, sector-specific agencies had yet to update their respective sector-specific plans to fully address key DHScybersecurity criteria. In addition, most agencies had not updated the actions and reported progress in implementing them as called for by DHS guidance. The GAO noted that these shortfalls were evidence that the sector planning process has not been effective and thus leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures.

The GAO recommended that DHS (1) assess whether existing sector-specific planning processes should continue to be the nation’s approach to securing cyber and other critical infrastructure and consider whether other options would provide more effective results and (2) collaborate with the sectors to develop plans that fully address cybersecurity requirements.